Paleohacks Data Leak Exposes Customers’ Personal Information
This Major Data Breach Is the Consequence of a Serious Security Error, Jeopardizing the Wellbeing of Paleohacks Customers and the Company Itself.
Paleohacks, the largest paleo diet & paleo recipes online community, has suffered a major data breach that originated from a cloud account the company was using to store the private data of its customers.
The breach was discovered by vpnMentor’s research team who revealed that Paleohacks had failed to implement basic security protocols. As a consequence, the personal details of over 70,000 customers and users have been leaked online, including names, email addresses, profile photos, and PII data. The victims are now subject to fraud, identity theft, hacking, and other types of cyberattacks.
Images Source: vpnMentor
The research team, led by Noam Rotem, said Paleohacks was using an Amazon Web Services (AWS) S3 bucket to store its customer data which is highly popular among businesses worldwide. Nevertheless, the multimedia online lifestyle brand failed to manually set up their data privacy protocols when creating the S3 bucket account. This misconfiguration left the entire content publicly exposed to anyone with the most basic hacking skills.
Image Source: vpnMentor
According to the researchers, some of the entries also contained password reset tokens for subscription and membership services. These tokens were protected via the BCRYPT hashing algorithm but it could still be possible for cybercriminals to abuse them.
Aside from PII data and personal information, some entries in the bucket also contained password reset tokens for account holders on Paleohacks’ subscription and membership products.
While the passwords were protected by the BCRYPT hashing algorithm (a sophisticated form of password encryption), a hacker could easily use the tokens to reset a person’s password, gain access, and lock the original user out of their account. Doing so would allow the hackers to take control of 1,000s of Paleohacks accounts and any additional data stored therein.
The breach was first discovered on February 4th, 2021, and although vpnMentor reached out to the vendor on February 7th, 9th, and March 17th, the company has ignored every attempt the team has made to help them close the vulnerability, telling them they’re “not interested”.
As a last resort, the team reached out to Amazon and the AWS S3 bucket was eventually secured.
At this point, it is unknown whether unauthorized parties accessed the bucket before it was secured against intrusion.
The research team advises customers concerned about how this breach might impact them to contact the Paleohacks directly to determine what steps it’s taking to protect their data.